Imagine you went to a restaurant for dinner and became violently ill. After a little investigation, you find out that some of your food was uncooked, that the salad was prepared with a knife that had been used to cut raw chicken and that the mayonnaise in the dressing had been kept in a broken refrigerator.
With all this information, you would think that youd have a pretty good case to get compensated for your medical bills and lost workdays—and that the restaurant would be in pretty big trouble with the health inspectors.
But youd be wrong. Instead, the restaurant would defend its actions, saying, "Hey, we did cook your food; we just didnt cook it enough. And the cook did wipe the raw chicken knife before making the salads, but it was on his apron. And, oh, yeah, the regulations say only that we have to put the mayonnaise in a refrigerator; they dont say anything about the refrigerator actually working."
Even worse, the authorities would agree, basically saying that the restaurant doesnt need to prepare food safely; it need only make a token attempt to do so.
Imagine the outcry if something like this happened? I can already see the coverage on my local TV news: "Local judge says its OK for restaurants to poison you. Full story at 11."
But when it comes to securing your personal data, a judge has basically decided companies can do the bare minimum or less when it comes to data safety and get away with it.
As detailed in an article on the SecurityFocus Web site (www.securityfocus.com/ columnists/387), a recent Minnesota court case involved a consumer whose personal financial information was lost by the company that handled his student loan.
It turned out that this company let an analyst load detailed—and unencrypted—information about more than 500,000 loans onto a personal laptop and bring it home.
It was no surprise that the analysts laptop, along with the personal financial data of all those loan customers, was stolen.
After the company informed customers about the data loss, one decided to seek reparations for the time and money he lost—as well as the fear that was caused—as a result of the companys negligence. So he sued.
Now, its not that this person didnt win that bothers me. Its the grounds on which the judge dismissed the case. The judge basically decided the loan company didnt really need to have good security as long as it had policies stating that it cared about security.
The judge also said it didnt matter that the data on the laptop wasnt encrypted because the pertinent law (the Gramm-Leach-Bliley Act) doesnt specify that data must be encrypted. In fact, as the SecurityFocus article points out, the law doesnt require that any specific security procedures be taken—only reasonable measures (which, I guess, means a user name of "admin" and a password of "password").
So, even though the loan company failed to meet even the most basic requirements for securing vital customer data, the judge decided it had done plenty and dismissed the case.
This relates to past columns Ive written about the dangers involved when judges and politicians who know nothing about technology make decisions that have long-lasting and negative consequences for all technology.
Under the strict letter of the law, the judge probably made the right decision. Thats because decisions such as this are based essentially on whether the defendant was doing what its peers typically do.
In fact, according to several studies in the last year, there are still more companies trying to get by with the security bare minimum than there are companies that take security seriously. So, based on the standard by which the judge was deciding the case, the loan company didnt do much worse than the average company.
As if no-responsibility software licenses werent bad enough, we consumers now have to face the fact that the companies that hold our personal data can lose it negligently and not have to face any repercussions.
And you know what? That just makes me feel sick.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.